Regulation of Medicine
Law Enforcement Exception to HIPAA: What Providers Need to Know
As a healthcare organization, you may receive a verbal or written request for protected health information (PHI) or copies of medical records from law enforcement officials as part of their investigation process. For example, law enforcement may need to follow-up on a Division of Family & Children Services (DFCS) referral for suspected child abuse, or they may be investigating an altercation that resulted in a crime.
The HIPAA Privacy Rule contains an exception for law enforcement purposes (45 CFR § 164.512(f)), which permits a covered entity to disclose PHI to law enforcement officials without patient authorization under the following circumstances:
- Court orders, court-ordered warrants, subpoenas, and administrative requests
- To identify or locate a suspect, fugitive, material witness or missing person
- To answer a law enforcement official’s request for information about a victim or suspected victim of a crime
- To alert law enforcement of a person’s death, if the organization suspects that criminal activity caused the death
- When an organization believes that PHI is evidence of a crime that occurred on its premises
- In a medical emergency not occurring on its premises, when it’s necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime
For purposes of this exception, “law enforcement official” is defined broadly and means an officer or employee (state or federal) who investigates or conducts an official inquiry into a potential violation of law or prosecutes or otherwise conducts a criminal, civil, or administrative proceeding arising from an alleged violation of law. Some examples of law enforcement officials include officers, investigators, or detectives from the Sheriff’s office, the FBI, and state detectives or investigators.
If a law enforcement official sends a letter requesting records, the letter will likely tell you where to send the requested records in addition to providing the law enforcement official’s contact information. Many times the cover letter or request will not have a “cc” line copying the other party because the investigation is sensitive or confidential.
Law enforcement officials may also verbally request PHI or copies of medical records from your organization either over the phone or in person. If a law enforcement official comes to your organization’s office in uniform and provides proper identification (business card or law enforcement ID or badge), then it is appropriate to produce the PHI. If the request comes via phone call, you are required to receive further verification before releasing PHI. You should ask the caller to provide a formal request in writing with a citation to the requestor’s source of statutory authority under state or federal law. The writing can be on an official letterhead or by email if the message includes the necessary citations to authority and is sent from the official’s work email address.
You do not have to obtain an individual’s written authorization before disclosing his or her PHI if you receive a written or adequate verbal request from a law enforcement official. These situations are considered low risk, and it is generally appropriate to comply with the law enforcement request.
Accordingly, a healthcare organization that receives a request for PHI from a law enforcement official for law enforcement purposes should feel comfortable complying with the request and recognize that producing the records to law enforcement is low risk. MagMutual’s claims data does not demonstrate any claims, payouts, or loss from a patient alleging wrongful release of PHI by a policyholder to a law enforcement official.
Want to learn more?
Interested in how MagMutual can help?View our products
The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.